aboutsummaryrefslogtreecommitdiff
path: root/share/security
diff options
context:
space:
mode:
Diffstat (limited to 'share/security')
-rw-r--r--share/security/advisories/FreeBSD-SA-20:33.openssl.asc53
-rw-r--r--share/security/patches/SA-20:33/openssl.11.patch204
-rw-r--r--share/security/patches/SA-20:33/openssl.11.patch.asc18
3 files changed, 254 insertions, 21 deletions
diff --git a/share/security/advisories/FreeBSD-SA-20:33.openssl.asc b/share/security/advisories/FreeBSD-SA-20:33.openssl.asc
index e5b703dcb6..48c1d14f50 100644
--- a/share/security/advisories/FreeBSD-SA-20:33.openssl.asc
+++ b/share/security/advisories/FreeBSD-SA-20:33.openssl.asc
@@ -14,22 +14,25 @@ Affects: All supported versions of FreeBSD.
Corrected: 2020-12-08 18:28:49 UTC (stable/12, 12.2-STABLE)
2020-12-08 19:10:40 UTC (releng/12.2, 12.2-RELEASE-p2)
2020-12-08 19:10:40 UTC (releng/12.1, 12.1-RELEASE-p12)
+ 2020-12-10 23:43:29 UTC (stable/11, 11.4-STABLE)
+ 2020-12-14 21:20:55 UTC (releng/11.4, 11.4-RELEASE-p6)
CVE Name: CVE-2020-1971
Note: The OpenSSL project has published publicly available patches for
-versions included in FreeBSD 12.x. This vulnerability is also known to
-affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL
-project is only giving patches for that version to premium support contract
-holders. The FreeBSD project does not have access to these patches and
-recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage
-up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project
-may update this advisory to include FreeBSD 11.4 should patches become
-publicly available.
+versions included in FreeBSD 12.x. FreeBSD 11.x includes an older OpenSSL
+version, and patches for that version from from the OpenSSL project are
+only available to premium support contract holders. This advisory includes
+an independently-developed backport of the patch for FreeBSD 11.4.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
+0. Revision History
+
+v1.0 2020-12-08 Initial release.
+v1.1 2020-12-14 Added FreeBSD 11.4 patch.
+
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
@@ -80,10 +83,16 @@ FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
+[FreeBSD 12.2, FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch
# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch.asc
# gpg --verify openssl.patch.asc
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch.asc
+# gpg --verify openssl.11.patch.asc
+
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
@@ -104,6 +113,8 @@ Branch/path Revision
stable/12/ r368459
releng/12.2/ r368463
releng/12.1/ r368463
+stable/11/ r368530
+releng/11.4/ r368643
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
@@ -126,19 +137,19 @@ The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc>
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/P6+RfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/X2AhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
-5cI4zQ//dy/tBaAq+kvGkWry74LzvqdZ5c0IIWH1UIrDab0wgmj8H5siP3Rpp7OB
-GKtpA+gDDmIgbe80fD+L6L5LR59wBU3sfyYPIcKIbPGl4ix2C5HK7reGns1qoX+O
-BFJd3gyPVeq4FD5/+btynyom8lcR//ta4dKKz2TERfd27iL8fM0AoLl+JI/axzJS
-d06Z2kA0gRo528DsVRsTbiZFINfhGm8wzeXYpAxwbpnedswOeukOxTsKXrdtSAy+
-BCq5BHdBxL/z4A2QLlrsYqpQH0Ty77ueGjqrq4QPFwq7dxSMDkfzz+YeGPKAvGsU
-lwyE2LlkP+531y4ueeGs5K6zRk8jDn7hJs+HfAtTy7y6d+VX9h7wRSssozC9DsV4
-87OWHkXOEj5LeDRDfrEKVLx+QBqRcOOY6mkT3mb5dB7o9bmqxtjf3CaQaA7eV7Y8
-a9QJvpO37m1ZpCC/kXACUPwmwbc5q8sjOsAcQiRAVeom6coFwDxs9u+yHX3uCLRJ
-zorgaLgce/c7yLUoQ/bA1/bfuOE7qIwxK7JosZSxv59CvavAhN/hBUcuL7CPCGrP
-u9LyYGPoYLXUj4CBKI7FmGkQVhNCLDhUYdvrVyRbTy3hihi1VtbFEZ8Dhipm4nL7
-Oko1LxjLb1dJiHEj9kHtNWRmhueuErxkgA+GWLlsJpjlGlC/YAU=
-=5e1s
+5cLRqQ/8DWGkrFkYn1mpbePFaWFkb2Gt9wexPjfa7oFVSPirHwEFFF1yr5p5hTNF
+lPyDeSmif5DsAa1fm5CqIVDc9R+kvs8QBfuvD6dRTDW0NSSjPILtBd+7DpnejGKY
+DGP9Q9aV8pniyJ029vduReF/U0VX/VtHuujYMZBBeXTcfWW1+/olMw0nkMno+3j/
+PFflN1d7Kj66b+RjqdIav72vuEmp0nzm8VlL4Sn53Im6TJuGg+24uCj2oCKmMfiR
+6mrS9D6H6/8VyAEI7aFfz52TN/Cuqx5U5HjonjRsnKCN/8tST6nxZ3MQ3F6eJRU6
+Tqzd9c1iYm9bWYWTpqtDx2dASiIICQeEj8f42RavU+BfpER9rKQi/pcJk/9ISu2L
+/EOmH735v1dWd5PVZiVQinx+v/Os5pCzAZEOxA4rI7prAFvnX2q7XsJI914p87FR
+SGwMy/cN7b23rJFLwNp29tpAJhaz9Ac/vAJwvUKEaoGqvcEC8zOPykMcOhcHXONq
+fXJWgkl/N8fkyKrSfFZkKF5r4aQGsuyaZje1YmrpWIOr/jzV9qL4CAvUhx116yJb
+XelP+aaXBD82kM3J0Ddivaz+/dP5ng/XUADJvAYzZ1g7N9fxYjLGF6nRJ3eXKuno
+NQfYPIYAc1TKYAU+k6pbxqQkVuYtTxHCSXdvUGMjh0scZArU8/s=
+=LaWf
-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:33/openssl.11.patch b/share/security/patches/SA-20:33/openssl.11.patch
new file mode 100644
index 0000000000..d3f677651d
--- /dev/null
+++ b/share/security/patches/SA-20:33/openssl.11.patch
@@ -0,0 +1,204 @@
+--- crypto/openssl/crypto/asn1/asn1.h.orig
++++ crypto/openssl/crypto/asn1/asn1.h
+@@ -1203,6 +1203,7 @@
+ # define ASN1_F_ASN1_ITEM_DUP 191
+ # define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121
+ # define ASN1_F_ASN1_ITEM_EX_D2I 120
++# define ASN1_F_ASN1_ITEM_EX_I2D 224
+ # define ASN1_F_ASN1_ITEM_I2D_BIO 192
+ # define ASN1_F_ASN1_ITEM_I2D_FP 193
+ # define ASN1_F_ASN1_ITEM_PACK 198
+@@ -1304,6 +1305,7 @@
+ # define ASN1_R_BAD_OBJECT_HEADER 102
+ # define ASN1_R_BAD_PASSWORD_READ 103
+ # define ASN1_R_BAD_TAG 104
++# define ASN1_R_BAD_TEMPLATE 221
+ # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
+ # define ASN1_R_BN_LIB 105
+ # define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
+--- crypto/openssl/crypto/asn1/asn1_err.c.orig
++++ crypto/openssl/crypto/asn1/asn1_err.c
+@@ -1,6 +1,6 @@
+ /* crypto/asn1/asn1_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 1999-2020 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -103,6 +103,7 @@
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"},
++ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_I2D), "ASN1_item_ex_i2d"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"},
+@@ -207,6 +208,7 @@
+ {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
+ {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"},
+ {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"},
++ {ERR_REASON(ASN1_R_BAD_TEMPLATE), "bad template"},
+ {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
+ "bmpstring is wrong length"},
+ {ERR_REASON(ASN1_R_BN_LIB), "bn lib"},
+--- crypto/openssl/crypto/asn1/tasn_dec.c.orig
++++ crypto/openssl/crypto/asn1/tasn_dec.c
+@@ -223,6 +223,15 @@
+ break;
+
+ case ASN1_ITYPE_MSTRING:
++ /*
++ * It never makes sense for multi-strings to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);
++ goto err;
++ }
++
+ p = *in;
+ /* Just read in tag and class */
+ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
+@@ -240,6 +249,7 @@
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+ goto err;
+ }
++
+ /* Check tag matches bit map */
+ if (!(ASN1_tag2bit(otag) & it->utype)) {
+ /* If OPTIONAL, assume this is OK */
+@@ -316,6 +326,15 @@
+ goto err;
+
+ case ASN1_ITYPE_CHOICE:
++ /*
++ * It never makes sense for CHOICE types to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);
++ goto err;
++ }
++
+ if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
+ goto auxerr;
+ if (*pval) {
+--- crypto/openssl/crypto/asn1/tasn_enc.c.orig
++++ crypto/openssl/crypto/asn1/tasn_enc.c
+@@ -151,9 +151,25 @@
+ break;
+
+ case ASN1_ITYPE_MSTRING:
++ /*
++ * It never makes sense for multi-strings to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
++ return -1;
++ }
+ return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
+
+ case ASN1_ITYPE_CHOICE:
++ /*
++ * It never makes sense for CHOICE types to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
++ return -1;
++ }
+ if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
+ return 0;
+ i = asn1_get_choice_selector(pval, it);
+--- crypto/openssl/crypto/x509v3/v3_genn.c.orig
++++ crypto/openssl/crypto/x509v3/v3_genn.c
+@@ -72,8 +72,9 @@
+ IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
+
+ ASN1_SEQUENCE(EDIPARTYNAME) = {
+- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
+- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
++ /* DirectoryString is a CHOICE type so use explicit tagging */
++ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
++ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
+ } ASN1_SEQUENCE_END(EDIPARTYNAME)
+
+ IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
+@@ -107,6 +108,37 @@
+ (char *)a);
+ }
+
++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
++{
++ int res;
++
++ if (a == NULL || b == NULL) {
++ /*
++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
++ */
++ return -1;
++ }
++ if (a->nameAssigner == NULL && b->nameAssigner != NULL)
++ return -1;
++ if (a->nameAssigner != NULL && b->nameAssigner == NULL)
++ return 1;
++ /* If we get here then both have nameAssigner set, or both unset */
++ if (a->nameAssigner != NULL) {
++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
++ if (res != 0)
++ return res;
++ }
++ /*
++ * partyName is required, so these should never be NULL. We treat it in
++ * the same way as the a == NULL || b == NULL case above
++ */
++ if (a->partyName == NULL || b->partyName == NULL)
++ return -1;
++
++ return ASN1_STRING_cmp(a->partyName, b->partyName);
++}
++
+ /* Returns 0 if they are equal, != 0 otherwise. */
+ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ {
+@@ -116,8 +148,11 @@
+ return -1;
+ switch (a->type) {
+ case GEN_X400:
++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++ break;
++
+ case GEN_EDIPARTY:
+- result = ASN1_TYPE_cmp(a->d.other, b->d.other);
++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
+ break;
+
+ case GEN_OTHERNAME:
+@@ -164,8 +199,11 @@
+ {
+ switch (type) {
+ case GEN_X400:
++ a->d.x400Address = value;
++ break;
++
+ case GEN_EDIPARTY:
+- a->d.other = value;
++ a->d.ediPartyName = value;
+ break;
+
+ case GEN_OTHERNAME:
+@@ -199,8 +237,10 @@
+ *ptype = a->type;
+ switch (a->type) {
+ case GEN_X400:
++ return a->d.x400Address;
++
+ case GEN_EDIPARTY:
+- return a->d.other;
++ return a->d.ediPartyName;
+
+ case GEN_OTHERNAME:
+ return a->d.otherName;
diff --git a/share/security/patches/SA-20:33/openssl.11.patch.asc b/share/security/patches/SA-20:33/openssl.11.patch.asc
new file mode 100644
index 0000000000..04a1f67bc2
--- /dev/null
+++ b/share/security/patches/SA-20:33/openssl.11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/X1+ZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLSXA/+POtmlmjt6rC2UhrW91eAxVENBcN8rzjtlHwMqaJuV1Hdj8lcIqcQQyKV
+8XpdgcyRGIG9XDCekFkwITtamuIYCl47Mmp8BB6aoY+o8WKRn7AcwjS3Wsk45YF0
+0sbw6quT71i7CeIDTQyI/ku3ovacFnDo+aZFN4M4xJ5ESj4RwPdEno6xatsBAaeQ
+3slF62D+i1oTKkC1e5dTcvB9H/dhm9tPUTIkuNXwJ7ba/UF8zacnRyfS4vyu+IxG
+Tu8tTSxoPxp74Khin1JhlL3qkcVZkRP5bDjan/Jilu88Oi/OE+WAQGIYVb9ozxwj
+DHrXPGw2tkqCwt+0Dz2sYPKyJc3ceGQHJqWljFNvGe8tRBIHqbg9ig1RJkTUMWw9
+y1bFILvzzEpgRT8dZe4pSarF/+0+O9CyXNBJOPQKVKpx/QOqEIWo5Ohcb6sE3cbo
+n2epPYiuvpthmZQLaHJ9x/Q/CiDy31SjandK9UF4pe3rg0IdJpH1UmoxaXYLsK6l
+LxbFqgv6xR/WOl+/Xhk7BQ6vC6C6wy3hgZ5XfziZJCH9jammciS13KcwGlc+s3we
+1qWHtiYxJyo8GeRQQwcGnyPb1LyxQ2ELbxjceCB7nVHyPQsVFtzJkCN6fH9sl7Pl
+7o+oX6amcXd5NLN8SoqH2A0yU/l5mMjky0XfD8wdkpemOMui7mo=
+=2k8P
+-----END PGP SIGNATURE-----